AI regulation and data governance

Artificial intelligence and advanced data processing are now central to digital operations, commercial strategy and regulatory risk. Organisations must be able to demonstrate that AI systems are designed, developed and deployed within a defensible governance framework. This page introduces the regulatory landscape for AI regulation and data governance, explains the core governance disciplines and links to Bratby Law’s related pages.

What AI regulation and data governance means

AI and data governance refers to the structures, processes and controls through which organisations manage the risks and responsibilities associated with AI systems and complex data use. Effective governance requires:

• clear allocation of accountability
• risk identification and management throughout the AI lifecycle
• control over data inputs, training data and data provenance
• validation and oversight of models and automated decision-making
• appropriate transparency, explainability and assurance
• preparedness for investigations, audits or regulatory engagement

Governance frameworks must be proportionate to the nature of the AI systems and their potential impact on individuals, markets and society.

AI regulation landscape

AI and data governance is shaped by a combination of statutory requirements, regulatory expectations and international standards.

United Kingdom

The UK undertakes AI regulation through existing legislation and sector-based regulators rather than a single comprehensive statute. Key instruments include:

• the Data (Use and Access) Act 2025, amending UK GDPR and the Data Protection Act 2018
• the Online Safety Act 2023, governing certain AI-driven content and recommender systems
• sectoral requirements from Ofcom, the ICO, the CMA and the FCA
• the government’s AI Regulation White Paper framework and cross-cutting AI principles
• emerging guidance on high-risk AI uses, algorithmic transparency and automated decision-making

Regulators expect organisations to manage risk through structured governance and to document how systems meet regulatory standards.

European Union

The EU AI Act introduces a harmonised framework applying from 2026 onwards for AI regulation. It classifies AI systems by risk and imposes specific requirements on high-risk and general-purpose AI models. The EU Data Act and Digital Services Act impose further obligations on data access, sharing and platform governance.

UK organisations may be caught by EU AI regulation requirements where AI systems are placed on the EU market or used in the EU.

International Ai regulation and governance standards and guidance

Frameworks influential in shaping governance include:

• OECD AI Principles
• NIST AI Risk Management Framework
• Council of Europe Convention on AI, Human Rights and Democracy
• ISO/IEC standards on AI management systems, risk and quality
• industry-specific guidance from financial, telecoms, competition and consumer regulators

Organisations operating across borders should aim for governance structures that are interoperable across these frameworks.

Core governance disciplines

Accountability and oversight

Boards and senior management must take responsibility for the use of AI within the organisation. Effective oversight requires:

• clear roles and delegated responsibilities
• governance committees or equivalent decision-making forums
• accountability frameworks for development, procurement and deployment
• auditability and documented rationale for significant decisions

Risk management

AI must be subject to structured risk assessment and mitigation, covering:

• model behaviour and performance
• algorithmic fairness and bias
• data quality, provenance and ethics
• robustness, security and resilience
• risks from general-purpose and third-party AI models
• impacts on customers, employees and wider society

Data governance

AI governance is inseparable from data governance. Organisations should maintain:

• clear data inventories and lineage
• controls for data access and quality
• lawful bases for training data and model inputs
• protection against data leakage, reconstruction or inversion attacks
• contractual controls covering third-party data and APIs

Model governance and validation

Model governance requires:

• documentation of model design, assumptions and intended use
• validation and testing before deployment
• monitoring of performance, drift, and unintended outcomes
• human oversight, including override and escalation processes
• post-market monitoring where required by regulation

Supplier and foundation-model governance

Many firms rely on external AI tools and general-purpose AI models. Governance should include:

• due diligence on model providers
• contractual allocation of responsibilities and liability
• assessments of data use, IP rights and restrictions
• controls for API-based or embedded model use

Incident management and reporting

Organisations should maintain:

• incident response processes for AI-related failures
• channels for internal reporting and escalation
• compliance with statutory reporting requirements
• readiness for regulatory engagement and investigations

Interaction with other regulatory regimes

AI governance intersects with multiple regulatory obligations, including:

• data protection, including automated decision-making and profiling
• Online Safety Act duties for platforms and content providers
• consumer protection law and fairness in automated outcomes
• competition law issues arising from the use of AI in pricing, ranking or market operations
• safety regulation for systems relevant to critical infrastructure or autonomous functionality

Sector regulators increasingly expect organisations to evidence governance frameworks and decision-making.

Cross-border considerations

International businesses must manage:

• divergence between UK and EU regimes in timing, scope and terminology
• extraterritorial reach of the EU AI Act and US state-level regimes
• supply-chain risk where models rely on third-country data or components
• compliance with local standards in high-risk jurisdictions

A harmonised approach reduces audit duplication and strengthens defensibility.

Future direction

The regulatory environment for AI regulation and data governance will continue to evolve. Anticipated developments include:

• further UK guidance on high-risk use and regulatory assurance
• implementation of the EU AI Act and related standards
• greater supervisory focus on general-purpose AI models
• mandatory transparency and audit requirements for certain sectors
• increased cross-regulator coordination, including Ofcom, ICO and CMA

Firms should adopt governance structures capable of scaling as regulatory expectations increase.

How Bratby Law assists with AI regulation and governance

We support clients in building, documenting and improving AI and data governance frameworks. Our work includes:

• AI governance frameworks aligned with UK, EU and international standards
• risk assessments for high-risk and general-purpose AI
• data governance and lawful use of training data
• model governance structures and lifecycle controls
• AI-related contractual frameworks and supplier management
• regulatory engagement and preparation for supervision or assurance
• internal policies, standards and training materials
• readiness assessments for the EU AI Act and the Data (Use and Access) Act

Our advice is practical, sector-informed and centred on creating governance that works for both compliance and innovation.

Why choose Bratby Law for AI regulation and governance

• expert regulatory insight into AI, data protection and digital technologies
• experience advising clients in regulated and data-intensive sectors
• practical understanding of technical, operational and governance challenges
• commercially grounded advice tailored to organisational risk
• integrated approach spanning legal, regulatory and technical issues

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles (Global Elite Thought Leader): Lexology

What clients say

External links

United Kingdom primary legislation

• Data Protection Act 2018
  https://www.legislation.gov.uk/ukpga/2018/12
• UK General Data Protection Regulation (UK GDPR)
  https://www.legislation.gov.uk/eur/2016/679/contents
• Data (Use and Access) Act 2025
  https://www.legislation.gov.uk/ukpga/2025
• Online Safety Act 2023
  https://www.legislation.gov.uk/ukpga/2023/50
• Digital Markets, Competition and Consumers Act 2024
  https://www.legislation.gov.uk/ukpga/2024/13
• Competition Act 1998
  https://www.legislation.gov.uk/ukpga/1998/41
• Enterprise Act 2002
  https://www.legislation.gov.uk/ukpga/2002/40
• Human Rights Act 1998
  https://www.legislation.gov.uk/ukpga/1998/42
• Equality Act 2010
  https://www.legislation.gov.uk/ukpga/2010/15
• Computer Misuse Act 1990
  https://www.legislation.gov.uk/ukpga/1990/18
• Regulation of Investigatory Powers Act 2000
  https://www.legislation.gov.uk/ukpga/2000/23
• Investigatory Powers Act 2016
  https://www.legislation.gov.uk/ukpga/2016/25
• Automated Vehicles Act 2024
  https://www.legislation.gov.uk/ukpga/2024/10

Regulatory authorities and guidance

• Information Commissioner’s Office
  https://ico.org.uk
• ICO guidance on AI and data protection
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence
• CMA guidance on AI foundation models
  https://www.gov.uk/government/publications/ai-foundation-models-update-paper
• Ofcom online safety and emerging technologies
  https://www.ofcom.org.uk/online-safety
• FCA digital and AI guidance
  https://www.fca.org.uk
• Digital Regulation Cooperation Forum
  https://www.gov.uk/government/collections/digital-regulation-cooperation-forum

UK government AI policy frameworks

• UK AI Regulation White Paper
  https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach
• UK government response to AI regulation
  https://www.gov.uk/government/consultations/ai-regulation-a-pro-innovation-approach-policy-proposals/outcome
• UK AI Standards Hub
  https://aistandardshub.org
• Assuring a Responsible Future for AI
  https://www.gov.uk/government/publications/assuring-a-responsible-future-for-ai

EU legislation

• EU AI Act (final text)
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
• EU Data Act
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R2854
• EU GDPR
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
• Digital Services Act
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065
• Digital Markets Act
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1925
• Data Governance Act
  https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R0868
• European Data Strategy
  https://data.europa.eu/strategy

International frameworks and standards

• OECD AI Principles
  https://oecd.ai/en/ai-principles
• NIST AI Risk Management Framework
  https://www.nist.gov/itl/ai-risk-management-framework
• NIST AI RMF resources
  https://airc.nist.gov/airmf-resources
• Council of Europe Convention on AI
  https://www.coe.int/en/web/artificial-intelligence
• ISO/IEC AI standards
  https://www.iso.org/committee/6794475.html
• UNESCO AI ethics recommendation
  https://unesdoc.unesco.org/ark:/48223/pf0000379942

Sector-specific guidance

• Financial Stability Board
  https://www.fsb.org
• European Banking Authority – ICT and security guidelines
  https://www.eba.europa.eu
• International Telecommunications Union
  https://www.itu.int/en/ITU-T/ai
• World Economic Forum
  https://www.weforum.org/focus/artificial-intelligence
• Global Partnership on AI
  https://gpai.ai

Also see

• Specialist UK telecoms, AI and data regulation lawyers
• AI & Data
• Telecoms Regulation
• Technology and Telecoms Transactions
• Specialist Co-Counsel
• Fractional General Counsel

Frequently asked questions